Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.

HTTPRequest#host

can be malformed/faked by 'x-forwarded-host'

can be faked by 'Host'

HTTPRequest#port

can be faked by 'Host'

HTTPRequest#server_name

can be malformed/faked by 'x-forwarded-server'

HTTPRequest#remote_ip

can be malformed/faked by 'x-forwarded-for' and 'client-ip'

HTTPRequest#ssl?

can be faked by 'Host'

HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')

can be malformed/faked by some HTTP headers

Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.

For faked data issue, we don't have a way to guarantee that it's not
faked. So developers of HTTPRequest must aware of that.

For malformed data issue, it should be a bug of HTTPRequest to be
fixed, but it's the same problem for x-forwarded-host,
x-forwarded-server and client-ip. We're offering those data in as-is
basis from HTTP header so we can expect users handle the data
properly for their purpose (for dumping to xterm, embedding to HTML,
etc.)

And the fix for this bug would be a little complex for quick-fix
because it's not only x-forwarded-for which causes this issue.
'client-ip' needs care, too. Documentation would be enough for
server_name. We think we need general development cycle for fixing
it.